New Ransomware Strain

This week in Security News, a new ransomware called Bad Rabbit has been infecting networks in Russia, Asia, and Europe since yesterday. Some infections in the US have also been reported. So far it’s not spreading nearly as quickly as WannaCry and Petya, fortunately.

Here are the important bits:

It seems to be infecting computers by fake Adobe Flash update notifications coming from compromised websites.

It contains a file full of common/default usernames and passwords, and attempts to connect to and infect other hosts on the network using those user/pass combos.

It *does not* exploit the EternalBlue hole in SMB1, so the WannaCry patches don’t prevent it from spreading to other machines on the same network, so make sure all devices have non-default and complex passwords.

Users have 40 hours to pay the ransom (.05 Bitcoins, ~$285) before the price goes up. There’s no indication paying the ransom will actually get files unlocked.

Protection:

Users not running as admins

Updated AV definitions

Non-default and complex passwords on all devices

For now, blocking execution of c:\Windows\infpub.dat and c:\Windows\cscc.dat will supposedly prevent infection